-
Notifications
You must be signed in to change notification settings - Fork 410
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Azure managed identity Postgres DB login support #1601
Comments
Hey @nbjohnson 馃憢 . Thanks for opening the issue! Discussed this issue with the team today and below are our thoughts: We don't want to introduce new inconsistencies in support for platforms. So, we would need to implement and maintain similar login support for other popular clouds. We do not want to be on the hook for maintaining managed identity support across cloud platforms. Instead, we believe that this type of support may already be possible using the cheers 馃嵒 |
@dopey Thanks for taking a look at my request. Yes I did see the ability to pass creds with those environment variables which I also think would work. However, I don't think that is the limiting factor here. To use an identity means the credential is only valid for a short time, so I think code would need to be added to be able to periodically retrieve a new credential and to make sure it does that before the existing short lived cred expires |
After discussion with the team, we're not looking to add authorization methods to smallstep/nosql, with the exception of x509 certificate based authentication. Users can already exchange Azure managed identity credentials for certificates (using the IID provisioners). The remaining part would be integrating client certificate authentication into smallstep/nosql as well as providing tooling around renewal. Unfortunately, we don't have the resourcing to prioritize integrating certificate based authentication against the storage layer at this time. If someone from the community is interested in taking this on, let us know and we can chat about requirements. |
One of the challenges with password authentication are corporate password renewal policies. Managed Identiteis give us a path to set-it-and-forget-it. @dopey can you explain the x509 authentication method? Are you saying I can generate an x509 to authenticate with Azure services? Are you suggesting I can achieve a similar result as the managed identity using the method you described? Is there a doc for that approach? |
Hello!
Issue details
Since postgresql has been supported as a backend DB, can support be added for retrieving a token using a managed identity rather than providing a static password, in my case specifically Azure, but might be straightforward to support multiple cloud providers depending on others' implementation.
Why is this needed?
Adding support for identity auth will improve the security posture of step-ca as it is one less static credential, especially for a critical service.
Possible Implementation
Based on the docs it seems the implementation would be a request to the IMDS to retrieve a temporary token that can be used as a password alongside the username in the connection string. I believe the hardest part would be determining the expiration time of this credential and automatically renewing it before expiration to prevent a loss of connection.
https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/how-to-connect-with-managed-identity#retrieve-the-access-token-from-the-azure-instance-metadata-service
The text was updated successfully, but these errors were encountered: